Symptoms

This worm is a member of the Win32/Gamarue family. It can steal your personal information and send it to a malicious hacker.

It arrives on your PC in a spam email and can spread to other PCs. It does this by infecting removable drives that you have plugged into your PC, such as USB drives or portable hard disks. If you then plug those drives into another PC, the worm will infect that PC as well.

What to do now

Use the following free Microsoft software to detect and remove this threat:

Gamarue.F also injects code into a newly created process named wuauclt.exe. Note that this is the same file name as the legitimate Windows Update process.

Spreads through...

Removable drives

Depending on the malware configuration, Gamarue.F may copy itself to removable drives, like USB flash drives.

It also creates an autorun.inf file in the root folder of the removable drive. The file has instructions to launch the malware automatically when the removable drive is connected to a PC with the Autorun feature turned on.

This is a common way for malware to spread. However, autorun.inf files on their own are not necessarily a sign of infection; they are also used by legitimate programs.

Payload

Communicates with a remote server

Gamarue.F tries to connect to the following servers via HTTP GET to report its infection and to download additional arbitrary files:

atserver<random string>.info

dangerantiddosload.ru

g00gl3.ru

mikkimouse.ru

napasaran.ru

retseptik.in

secureguard.ru

stroll-in.biz

zaletelly<random string>.be

zvezdavsem.ru

At the time of this writing, the servers and requested files were unavailable for further analysis.